Skip to content

Commit

Permalink
fix for duplicate audit records when focus doesn't have authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
@skublik
skublik committed Apr 11, 2022
1 parent 7c744d1 commit 683323b
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions .../src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,11 +107,7 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx);

if (checkCredentials(principal, authnCtx, connEnv)) {

if(AuthenticationEvaluatorUtil.checkRequiredAssignment(focusType.getAssignment(), authnCtx.getRequireAssignments())){
recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, null, authnCtx.getPrincipalType(), true);
recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
} else {
if(!AuthenticationEvaluatorUtil.checkRequiredAssignment(focusType.getAssignment(), authnCtx.getRequireAssignments())){
recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "not contains required assignment", authnCtx.getPrincipalType(), false);
recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "not contains required assignment", false);
throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
Expand All @@ -121,8 +117,10 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch", false);
throw new BadCredentialsException("web.security.provider.invalid");
}

checkAuthorizations(principal, connEnv, authnCtx);

recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, null, authnCtx.getPrincipalType(), true);
recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
}

Expand All @@ -140,17 +138,16 @@ public FocusType checkCredentials(ConnectionEnvironment connEnv, T authnCtx)
CredentialsType credentials = focusType.getCredentials();
CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx);

if (checkCredentials(principal, authnCtx, connEnv)) {
recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "password mismatch", authnCtx.getPrincipalType(), true);
recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
} else {
if (!checkCredentials(principal, authnCtx, connEnv)) {
recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "password mismatch", authnCtx.getPrincipalType(), false);
recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch", false);

throw new BadCredentialsException("web.security.provider.invalid");
}

checkAuthorizations(principal, connEnv, authnCtx);

recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, null, authnCtx.getPrincipalType(), true);
recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
return focusType;
}

Expand Down

0 comments on commit 683323b

Please sign in to comment.